Are you worried about a third-party vendor leaking your data? Wondering how to prevent third-party breaches?
According to Forrester, 55% of organizations experienced an incident or breach involving a third-party provider in 2021.
Verizon research found that third-party vendors were responsible for 62% of system Intrusion incidents.
With businesses outsourcing more and more of their business-critical data and functionality to third-party vendors, it’s no surprise that attackers have focused their efforts there as well.
As a result, organizations are looking for ways to mitigate the impact of third-party breaches.
That’s what we’re going to cover below. You’ll learn all about the risk of third-party breaches as well as a number of ways you can prevent it from happening.
What Is A Third-Party Data Breach
A third-party data breach refers to a situation where a company's data or systems are compromised due to a security incident or breach that occurs at one of its third-party vendors, suppliers, or service providers.
In this scenario, the company itself is not directly hacked, but rather, the breach occurs at a third-party organization that the company has shared data with or granted access to its systems. The third-party could be a cloud service provider, a payroll processor, a software vendor, or any other external entity with which the company has a business relationship.
Why Are Third-Party Data Breaches Increasing
A number of factors have contributed to the increase in third-party breaches. Firstly, the trend to outsource micro-services like cloud storage or payment processing has enlarged the overall ecosystem of potential vulnerabilities. Additionally, supply chains are becoming more complex, which makes it difficult to secure data shared across different entities.
Furthermore, most organizations have a complete lack of oversight when it comes to their third-party vendors’ security. Finally, the fact that a single vulnerability in a third-party vendor can grant access to the data of multiple organizations makes them an ideal target.
What Causes Third-Party Data Breaches
Similar to first-party data breaches, third-party data breaches occur for a variety of reasons, often involving a combination of technical, human, and organizational factors. Here are some common causes:
- Weak or Stolen Credentials: The use of weak passwords or the theft of login credentials can allow attackers to gain unauthorized access to systems and data.
- Phishing Attacks: Cybercriminals use phishing emails to trick individuals into revealing sensitive information or clicking on malicious links that install malware or steal credentials.
- Malware and Ransomware: Malicious software, including ransomware attacks, can be used to infiltrate networks, steal data, or lock data until a ransom is paid.
- Insider Threats: Employees or contractors with malicious intent or those who are careless can inadvertently or intentionally cause a data breach by mishandling sensitive information or accessing systems they shouldn’t.
- Software Vulnerabilities: Unpatched software or systems with known vulnerabilities can be exploited by attackers to gain access to sensitive data.
- Third-Party Vendors: Breaches in the systems of third-party vendors or service providers lead to the exposure of an organization’s data.
- Physical Security Breaches: Unauthorized physical access to facilities or devices, such as laptops or servers, can result in data theft or loss.
- Configuration Errors: Misconfigured databases, servers, or cloud storage can leave sensitive data exposed to the internet or vulnerable to unauthorized access.
- Social Engineering: Tactics like pretexting or baiting can manipulate individuals into revealing sensitive information or providing access to restricted areas.
- Human Error: Simple mistakes, such as sending an email to the wrong recipient or losing a device containing sensitive data, can lead to a data breach.
RECOMMENDED READING: How to Prevent Third-party Data Breaches
Examples of Third-Party Breaches
In recent years, third-party data breaches have become increasingly common, exposing sensitive information and causing significant damage to both organizations and individuals. Here are some notable examples:
- AT&T: In March 2024, 73 million AT&T accounts had their data leaked due to a breach of a third-party vendor's system. The data was originally put up for sale in 2021 and then was released for free in 2024
- Chick-fil-A: In March 2023, Chick-fil-A reported a credential stuffing attack that compromised 71,473 accounts, with data obtained from a third-party source.
- T-Mobile: In January 2023, T-Mobile suffered a data breach exposing the personal information of over 40 million customers due to a third-party vendor's system breach.
- Okta: In October 2023, Okta’s third-party, Rightway Healthcare, experienced a security incident exposing personal and healthcare data of nearly 5,000 Okta employees and their dependents.
- Dollar Tree: In August 2023, Dollar Tree announced a data breach affecting almost 2 million people due to a hack of service provider Zeroed-In Technologies.
- MOVEit Vulnerability Exploit: In May 2023, several organizations and US government agencies experienced intrusions related to a vulnerability in MOVEit Transfer. The breach was estimated to affect over 60 million people.
- Uber: In December 2022, Uber confirmed a third-party data breach after hackers accessed data via the company’s vendor, Teqtivity
- UK Metropolitan Police: In August 2023, The Metropolitan Police suffered a data breach due to a third-party vendor. The breach leaked officers’ and staff’s names, ranks, photos, vetting levels, and pay numbers.
- SolarWinds: In December 2020, SolarWinds, a software company that provides IT management tools, was the victim of a supply chain attack that allowed hackers to access the systems of several government agencies and private companies through a compromised software update.
- Marriott: In September 2018, Marriott International revealed a data breach that exposed personal information of around 500 million guests. The breach was traced back to a third-party reservation system used by Starwood, which Marriott had acquired in 2016.
Best Practices for Preventing Third-Party Security Breaches
Organizations often rely on external vendors, suppliers, and service providers for mission-critical services. If one of those vendors experiences a breach, the cascading effects can be significant. Here are some best practices to help prevent third-party breaches:
- Due Diligence: Before engaging with a third party, conduct thorough due diligence to assess their security posture. This includes reviewing their security policies, procedures, and track record.
- Risk Assessment: Perform a risk assessment to identify potential security risks associated with the third party. This will help you understand the level of risk they expose you to based on the access they require.
- Contractual Agreements: Ensure that contracts with third parties include clear security requirements and obligations. Specify the standards they must adhere to, such as ISO 27001, GDPR, or HIPAA, depending on the nature of the data they will access.
- Access Control: Limit third-party access to only what is necessary for them to perform their services. Implement the principle of least privilege and regularly review and adjust access permissions.
- Vendor Risk Management Program: Establish a third-party risk management program that oversees the entire lifecycle of third-party relationships, from vendor selection to offboarding. Where possible, minimize the number of third-party vendors you work with, reducing the attack surface and simplifying vendor risk management efforts.
- Multi-Factor Authentication: Implement multi-factor authentication (MFA) for all third-party access to your systems and data, reducing the risk of unauthorized access through compromised credentials.
- Secure Software Development: If working with third-party software vendors, ensure they follow secure software development practices, such as code reviews, vulnerability testing, and secure coding practices.
- Incident Response Plan: Ensure that third parties have an incident response plan in place and that it aligns with your organization’s plan. Clearly define roles and responsibilities in the event of a security breach.
- Data Encryption: Ensure that sensitive data is encrypted both in transit and at rest. This adds an extra layer of security in case of a breach.
- Threat Intelligence: Data breach monitoring services provide threat intelligence by tracking underground forums, dark web markets, and other sources where stolen data is leaked or sold. This intelligence can help identify if your vendors have been compromised and your data has been exposed.
How Breachsense Can Help Prevent Third-Party Data Breaches
Organizations have control over their own networks. They can add tooling, monitor traffic, and run security audits at will. However, they have much less visibility into the security of their vendors.
Breachsense helps mitigate that risk by continuously monitoring the dark web for leaked data associated with your third-party service providers.
By proactively resetting leaked credentials and session tokens businesses can mitigate their risk before criminals exploit the data.
If your team needs visibility into your third-party vendors, book a meeting to see how Breachsense can help.